feat: Add extraEnvFrom for mounting multiple secrets/cms

lindhe · lindhe · commit 29f53c5be217 · 2025-03-18T09:13:02.000+01:00
This feature allows users to specify a list of `secretRef` or
`configMapRef` objects which should be added to the `envFrom` field in
the Invenio containers. This reduces the need for repeating the name and
value of each environment variable that the user wants to add; instead
they can simply define them all in one or more secrets/configmaps and
let `envFrom` do the work of adding each variable to the container's
environment.
diff --git a/charts/invenio/templates/flower/deployment.yaml b/charts/invenio/templates/flower/deployment.yaml
@@ -44,6 +44,15 @@ spec:
                 secretKeyRef:
                   name: {{ .Values.flower.secret_name }}
                   key: FLOWER_BASIC_AUTH_CREDENTIALS
+          {{- if (or .Values.invenio.extraEnvFrom .Values.flower.extraEnvFrom) }}
+          envFrom:
+            {{- with .Values.invenio.extraEnvFrom }}
+            {{- . | toYaml | nindent 12 }}
+            {{- end }}
+            {{- with .Values.flower.extraEnvFrom }}
+            {{- . | toYaml | nindent 12 }}
+            {{- end }}
+          {{- end }}
           {{- if .Values.flower.resources }}
           resources: {{- toYaml .Values.flower.resources | nindent 12 }}
           {{- end }}
diff --git a/charts/invenio/templates/web-deployment.yaml b/charts/invenio/templates/web-deployment.yaml
@@ -33,6 +33,12 @@ spec:
             name: {{ include "invenio.fullname" . }}-config
         - secretRef:
             name: {{ include "invenio.secretName" . }}
+        {{- with .Values.invenio.extraEnvFrom }}
+        {{- . | toYaml | nindent 8 }}
+        {{- end }}
+        {{- with .Values.web.extraEnvFrom }}
+        {{- . | toYaml | nindent 8 }}
+        {{- end }}
         env:
         - name: TZ
           value: {{ required "Missing .Values.global.timezone" .Values.global.timezone }}
diff --git a/charts/invenio/templates/worker-beat-deployment.yaml b/charts/invenio/templates/worker-beat-deployment.yaml
@@ -45,6 +45,12 @@ spec:
             name: {{ include "invenio.fullname" . }}-config
         - secretRef:
             name: {{ include "invenio.secretName" . }}
+        {{- with .Values.invenio.extraEnvFrom }}
+        {{- . | toYaml | nindent 8 }}
+        {{- end }}
+        {{- with .Values.workerBeat.extraEnvFrom }}
+        {{- . | toYaml | nindent 8 }}
+        {{- end }}
         env:
         - name: TZ
           value: {{ required "Missing .Values.global.timezone" .Values.global.timezone }}
diff --git a/charts/invenio/templates/worker-deployment.yaml b/charts/invenio/templates/worker-deployment.yaml
@@ -36,6 +36,12 @@ spec:
                 name: {{ include "invenio.fullname" . }}-config
             - secretRef:
                 name: {{ include "invenio.secretName" . }}
+            {{- with .Values.invenio.extraEnvFrom }}
+            {{- . | toYaml | nindent 12 }}
+            {{- end }}
+            {{- with .Values.worker.extraEnvFrom }}
+            {{- . | toYaml | nindent 12 }}
+            {{- end }}
           env:
           - name: TZ
             value: {{ required "Missing .Values.global.timezone" .Values.global.timezone }}
diff --git a/charts/invenio/values.yaml b/charts/invenio/values.yaml
@@ -85,6 +85,13 @@ invenio:
     #       name: name-of-my-secret
     #       key: KEY_IN_MY_SECRET
   uwsgiExtraConfig: {}
+  ## @param invenio.extraEnvFrom Extra secretRef or configMapRef for the `envFrom` field in all Invenio containers
+  ##
+  extraEnvFrom: []
+    # - secretRef:
+    #     name: foo
+    # - configMapRef:
+    #     name: bar
 
   ## @param invenio.vocabularies Vocabularies to be loaded as files under /app_data/vocabularies
   ## Example
@@ -234,6 +241,13 @@ web:
     capabilities:
       drop:
         - ALL
+  ## @param web.extraEnvFrom Extra secretRef or configMapRef for the `envFrom` field in the web container
+  ##
+  extraEnvFrom: []
+    # - secretRef:
+    #     name: foo
+    # - configMapRef:
+    #     name: bar
 
 worker:
   enabled: true
@@ -273,6 +287,13 @@ worker:
     capabilities:
       drop:
         - ALL
+  ## @param worker.extraEnvFrom Extra secretRef or configMapRef for the `envFrom` field in the worker container
+  ##
+  extraEnvFrom: []
+    # - secretRef:
+    #     name: foo
+    # - configMapRef:
+    #     name: bar
 
 workerBeat:
   ## @param workerBeat.extraEnvVars Extra environment variables (templated) to be added to the pods.
@@ -300,6 +321,13 @@ workerBeat:
     runAsGroup: 1000
     seccompProfile:
       type: "RuntimeDefault"
+  ## @param workerBeat.extraEnvFrom Extra secretRef or configMapRef for the `envFrom` field in the worker-beat container
+  ##
+  extraEnvFrom: []
+    # - secretRef:
+    #     name: foo
+    # - configMapRef:
+    #     name: bar
 
 persistence:
   enabled: true
@@ -361,6 +389,13 @@ flower:
     limits:
       memory: 250Mi
       cpu: 0.1
+  ## @param flower.extraEnvFrom Extra secretRef or configMapRef for the `envFrom` field in the flower container
+  ##
+  extraEnvFrom: []
+    # - secretRef:
+    #     name: foo
+    # - configMapRef:
+    #     name: bar
 
 postgresql:
   enabled: true
